7/31/2019 GSM Overview Study
1/46
7/12/12 .
Contents
11
2
Introduction
1
RadioInterface
5
GSM ProtocolStack
4
Architecture
2
BSS, MSS,OSS and MS
3
Call Setup(MO, MT)
6
Security
9
LocationUpdate
7
Handover
8
7/31/2019 GSM Overview Study
2/46
7/12/12 . 22
Introduction
1
7/31/2019 GSM Overview Study
3/46
7/12/12 .
Introduction / History
33
Developed by Group Spciale Mobile (founded 1982) which was an initiative ofCEPT (Conference of European Post and Telecommunication ) to replace the
incompatible analog system
Presently the responsibility of GSM standardization resides with special mobile
group under ETSI (European telecommunication Standards Institute )
Under ETSI, GSM is named as Global System for Mobile communication it is a2G cellular standard developed to cater voice services and data delivery using digital
modulation.
GSM uses a combination of time division multiple access (TDMA) and Frequency
Division Multiple Access (FDMA).
Tri-band phones use the 900, 1800 and 1900 MHz GSM frequencies. Quad band
phones are also available covering the 850, 900, 1800 and 1900 MHz GSM
frequency bands.
7/31/2019 GSM Overview Study
4/46
7/12/12 .
GSM Subscriber Growth
More than 3 billion subscribers in world and 400 million subscriberin India
44
7/31/2019 GSM Overview Study
5/46
7/12/12 .
GSM Frequencies
55
900MHz
1800MHz
850MH
zSingleBandDualBandTriBandQuad
1900M
7/31/2019 GSM Overview Study
6/46
7/12/12 .
GSM Services
Services offered by GSM
Tele-services
Telecommunication services that enable voice
communication via mobile phones Offered services include Mobile telephony and
Emergency calling
Bearer or Data Services
Include various data services for information transfer
between GSM and other networks like PSTN, ISDN
etc at rates from 300 to 9600 bps 66
7/31/2019 GSM Overview Study
7/46
7/12/12 . 77
Architecture
2
7/31/2019 GSM Overview Study
8/46
7/12/12 .
GSM Architecture
. 88
7/31/2019 GSM Overview Study
9/46
7/12/12 .. 99
BSS, MSS, OSSand MS
3
7/31/2019 GSM Overview Study
10/46
7/12/12 .
GSM Network Entities(1/3)
. 1010
MS (Mobile Station) - The MS consists of the
physical equipment used by a PLMN subscriber;
it comprises the Mobile Equipment (ME) and the
Subscriber Identity Module (SIM), called USIM
for Release 99 and following.
Access Network (AN) Entities - Radio-related functions between mobile stations and
network are performed by the following entities:
BSC (Base Station Controller) - It is a high-capacity switch with radio communication and mobility control capabilities.
The functions include radio channel allocation, location update, handover, timingadvance, power control and paging.
BTS (Base transceiver station) It is a radio transceiver station that communicates with the mobile stations. Its backend
is connected to the BSC. Its transmitting power defines the size of a cell.
7/31/2019 GSM Overview Study
11/46
7/12/12 .
GSM Network Entities(2/3)
. 1111
PLMN - Public Land Mobile Network
- These are responsible for call connection,
supervision and release operations between
calling and called stations. HLR (Home Location Register) HLR is the database that contains a subscription record for each subscriber of the
network. A GSM subscriber is normally associated with one particular HLR. The HLR is responsible for the sending of subscription data to the VLR (during
registration) or GMSC (during mobile terminating call handling).
MSC (mobile switching center)/ VLR (Visitor Location Register) MSC performs the telephony switching function.A mobile station must be attached to a single MSC at a time (either homed or visitor),
if it is currently active (not switched off).The VLR is a database attached to an MSC to contain information about its currently
associated mobile stations (not just for visitors).
7/31/2019 GSM Overview Study
12/46
7/12/12 .
GSM Network Entities(3/3)
. 1212
PLMN - Public Land Mobile Network(Contd.)
AUC (Authentication Center) - The AUC provides
authentication and encryption parameters that verify the
user's identity and ensure the confidentiality of each call.
The GSM has standard encryption and authentication algorithm which are used to
dynamically compute challenge keys and encryptions keys for a call.
EIR (Equipment Identity Register) The EIR in the GSM system is the logical entity
which is responsible for storing in the network the International Mobile Equipment
Identities (IMEIs), used in the GSM system. The equipment is classified as "white listed",
"grey listed", "black listed" or it may be unknown.
GMSC (Gateway MSC) GMSC is the switching entity that controls mobile terminating calls. On call establishment towards a GSM subscriber, a GMSC contacts the HLR of that
subscriber, to obtain the address of the MSC where that subscriber is currently registered.
7/31/2019 GSM Overview Study
13/46
7/12/12 .. 1313
GSM Protocol Stack
4
7/31/2019 GSM Overview Study
14/46
7/12/12 .
GSM Protocol Layers1/2
. 1414
7/31/2019 GSM Overview Study
15/46
7/12/12 .
GSM Protocol Layers 2/3
CM (Connection Management)
- Call control, short message service and supplementary service
MM (Mobility Management)
- Registration, authentication, location and handover management
RR (Radio Resource Management)
- Setup, maintenance and release of radio channels
- Control of radio transmission quality
LAPDm (Link Access Protocol D-channel modified)
- Modified version of ISDN LAPD protocol
BTSM (Base Transceiver Station Management)
- Radio resources control messages between BSC and BTS
- BSSAP (Base Station System Application Part)
- Control of BSC by MSC. 1515
7/31/2019 GSM Overview Study
16/46
SS7
BTS
BSCMSC
VLR
HLRAuC
GMSC
BSS
PSTN
NSS
AE
C
D
PSTNAbis
B
H
MS
BSS Base Station
System
BTS BaseTransceiver Station
BSC Base StationController
NSS Network Sub-System
MSC Mobile-serviceSwitching Controller
VLR Visitor LocationRegister
HLR Home Location
Register
AuC AuthenticationServer
GMSC Gateway MSC
2G MS (voiceonly)
GSM Interfaces(1/3)
7/31/2019 GSM Overview Study
17/46
7/12/12 .. 1717
GSM Interfaces(2/3)
Um-interface
The interface between the MS and the BSS.
Abis-interface The Abis-interface is the interface between the BTS and
the BSC The transmission rate is 2.048 Mbps, which is partitioned
into 32 channels of 64 Kbps each
A-interface The BSS-MSC interface is used to carry information
concerning: BSS management, Call handling and Mobility
management
C-interface Interface between HLR and MSCThe Gateway MSC must interrogate the HLR of the
required subscriber to obtain routing information for a call
7/31/2019 GSM Overview Study
18/46
7/12/12 .. 1818
B-interface
Interface between the MSC and its associated VLR. WhenMSC needs data related to a given mobile station currently
located in its area, it interrogates the VLR This interface is internal to the MSC/VLR; signaling on it is
not standardized
D-interface Interface between HLR and VLR.This interface is used to exchange the data related to the
location of the mobile station and to the management of the
subscriber
G-interfaceWhen a mobile subscriber moves from a VLR area to
another Location Registration is done. This procedure may
result in retrieval of the IMSI and authentication parametersfrom the old VLR.
GSM Interfaces(3/3)
d ifi i h k
7/31/2019 GSM Overview Study
19/46
7/12/12 .
Identifiers in the GSM Network(1/3)
. 1919
IMSI (International Mobile Subscriber Identity)
IMSI is embedded on the SIM cardand is used to identify a subscriber.
The IMSI is also contained in thesubscription data in the HLR.
MCC (Mobile Country Code) It identifies the country for mobilenetworks. The MCC is not used for call establishment.
MNC (Mobile Network Code ) It identifies the mobile network within acountry . MCC and MNC together identify a PLMN for MNC usage. TheMNC may be two or three digits in length.
MSIN (mobile subscriber identification number ) It is the subscriberidentifier within a PLMN.
d ifi i h GS k
7/31/2019 GSM Overview Study
20/46
7/12/12 .
Identifiers in the GSM Network(2/3)
. 2020
MSISDN Number (Mobile Station IntegratedServices Digital Network Number)
The MSISDN is not stored on thesubscribers SIM card and is normally notavailable in the MS.
The MSISDN is provisioned in the HLR, as part of the subscribers profile,and is sent to MSC during registration.
CC (Country Code) It identifies the country or group of countries of thesubscriber. NDC (National Destination Code) Each PLMN in a country has one ormore NDCs allocated to it; the NDC may be used to route a call to theappropriate network. SN (Subscriber Number) It identifies the subscriber within the numberplan of a PLMN.
Id ifi i h GSM N k
7/31/2019 GSM Overview Study
21/46
7/12/12 .
Identifiers in the GSM Network(3/3)
. 2121
IMEI ( International Mobile
Equipment Identifier )
Each mobile equipment has aunique IMEI number
IMEI is hardcoded in ME and
cannot be modifiedThe IMEI is not used for routing or subscriber identification
The IMEI is composed of Type Allocation Code (TAC). Its length is of 8digits. Serial Number (SNR) is an individual serial number uniquelyidentifying each equipment within each TAC. Its length is 6 digits. Sparedigit: this digit shall be zero.
7/31/2019 GSM Overview Study
22/46
7/12/12 .. 2222
Radio Interface
5
7/31/2019 GSM Overview Study
23/46
7/12/12 .
GSM Radio / Physical Layer (1/6)
. 2323
FDMA/TDMA
7/31/2019 GSM Overview Study
24/46
7/12/12 .
GSM Radio / Physical Layer (2/6)
. 2424
GSM Frames
-1 frame = 8 time slots = 4.615 ms - 1 time slot = 156.25 bit = 0.577ms
- 1 hyperframe = 2048 superframes
For speech
1 superframe = 51 multiframes and 1 multiframe = 26 frames
For Signaling
1 superframe = 26 multiframes and 1 multiframe = 51 frames
7/31/2019 GSM Overview Study
25/46
7/12/12 .
GSM Radio / Physical Layer (3/6)
. 2525
The data transmitted during a single time slot is known as a burst.
Each burst allows 8.25 bits for guard time. Prevents bursts from overlapping.
Tail Bits - Each burst leaves 3 bits on each end in which no data is transmitted. This is
designed to compensate for the time it takes for the power to rise up to its peak during a
transmission. The bits at the end compensate for the powering down at the end of the
transmission.
Data Bits/Encrypted bits - There are two data payloads of 57 bits each.
Stealing Flags - Indicates whether the burst is being used for voice/data
Training Sequence - The training sequence bits are used to overcome multi-path fading
and propagation effects through a method called equalization.
7/31/2019 GSM Overview Study
26/46
7/12/12 .
GSM Radio / Physical Layer (4/6)
. 2626
Physical Vs. Logical Channels
Physical channels Using
FDMA and TDMA techniques,
each carrier is divided into 8
timeslots
Logical channels There are
two main categories of logical
channels in GSM: Control Channels Traffic Channels are used
to carry two types of
information to and from the
user - Encoded Speech and
Data
Physical channels
Logical channels
7/31/2019 GSM Overview Study
27/46
7/12/12 .
GSM Radio / Physical Layer (5/6)
. 2727
Logical Channel DescriptionFCCH MS scans for this signal after switch on and tunes to
it
SCH Contains BSIC code used by the MS to check thefrequency measured by it is coming from a particularBS
BCCH Detailed BTS and cell information
Broadcast Channels
Logical Channel Description
PCH Used to broadcast paging message for mobile terminated
call
RACH Only uplink channel and used to initiate a transaction tothe paging channel
AGCH Answer to RACH and assigns an SDCCH
Common ControlChannels
7/31/2019 GSM Overview Study
28/46
7/12/12 .
GSM Radio / Physical Layer (6/6)
. 2828
Logical Channel Description
SDCCH Used for system signalling,callsetup, assignment oftraffic channel
SACCH Transmits measurement reports and used for radiocontrol
FACCH Used for handover, It is mapped to a traffic channeland steals 20ms of traffic channel
Dedicated Control
Channels
7/31/2019 GSM Overview Study
29/46
7/12/12 .. 2929
Call Setup(MO, MT)
6
7/31/2019 GSM Overview Study
30/46
7/12/12 .
Mobile Originated Call (1/2)
. 3030
7/31/2019 GSM Overview Study
31/46
7/12/12 .
Mobile Originated Call (2/2)
. 3131
7/31/2019 GSM Overview Study
32/46
7/12/12 .
Mobile Terminated Call (1/2)
. 3232
7/31/2019 GSM Overview Study
33/46
7/12/12 .
Mobile Terminated Call (2/2)
. 3333
7/31/2019 GSM Overview Study
34/46
7/12/12 .. 3434
Location Update
7
7/31/2019 GSM Overview Study
35/46
7/12/12 .
Location update (1/4)
. 3535
Location Area
Cells are grouped into Location Areas updates sent only when LA is changed;paging message sent to all cells in last known LA
Location registration
MS has to register with the PLMN to get communication services
Registration is required for a change of PLMN MS has to report to current PLMN with its IMSI and receive new TMSI by
executing Location Registration process.
The TMSI is stored in SIM, so that even after power on or off, there is only normal
Location Update.
If the MS recognizes by reading the LAI broadcast on BCCH that it is in new LA, itperforms Location Update to update the HLR records.
Location update procedure could also be performed periodically, independent of
the MS movement.
The difference in Location Registration and Location Update is that in location
update the MS has already been assigned a TMSI.
7/31/2019 GSM Overview Study
36/46
7/12/12 .
Location update (2/4)
Case 1: Inter-LA Movement
. 3636
LA2
HLR
VLR
1
VLR
1
MSC1
MSC2
LA1MS
HLR: Home Location Register
VLR: Visitor Location Register
MSC: Mobile Switching Center
LA: Location AreaMS: Mobile Station
A location update request messageMAP_UPDATE_LOCATION_AREAMAP_UPDATE_LOCATION_AREA_ackA location update request message_ack
7/31/2019 GSM Overview Study
37/46
7/12/12 .
Location update (3/4)
Case 2: Inter-MSC Movement
. 3737
LA2
HLR
VLR
1
VLR
1
MSC1
MSC2
LA1MS
A location update request messageMAP_UPDATE_LOCATION_AREAMAP_UPDATE_LOCATIONMAP_UPDATE_LOCATION_ackMAP_UPDATE_LOCATION_AREA_ackA location update request message_ack
7/31/2019 GSM Overview Study
38/46
7/12/12 .
Location update (4/4)
Case 3: Inter-VLR Movement
. 3838
LA2
HLR
VLR
1
VLR
1
MSC1
MSC2
LA1MS
A location update requestmessageMAP_UPDATE_LOCATION_AREAMAP_SEND_IDENTIFICATIONMAP_SEND_IDENTIFICATION_ackMAP_UPDATE_LOCATIONMAP_UPDATE_LOCATION_ack
MAP_UPDATE_LOCATION_AREA_ack
MAP_CANCEL_LOCATIONMAP_CANCEL_LOCATION_ack
A location update requestmessage_ack
7/31/2019 GSM Overview Study
39/46
7/12/12 .. 3939
Handover
8
7/31/2019 GSM Overview Study
40/46
7/12/12 .
Handover (1/2)
. 4040
There are four different types of handover in the GSM system. Handover involves
transferring a call between: Channels (time slots) in the same cell
Cells (Base Transceiver Stations) under the control of the same Base Station
Controller (BSC)
Cells under the control of different BSCs, but belonging to the same Mobile
services Switching Center (MSC) Cells under the control of different MSCs
Handovers are initiated by the BSS/MSC (as a means of traffic load balancing).
During its idle time slots, the mobile scans the Broadcast Control Channel of up to
16 neighboring cells, and forms a list of the six best candidates for possiblehandover, based on the received signal strength.
This information is passed to the BSC and MSC, at least once per second, and is
used by the handover algorithm.
7/31/2019 GSM Overview Study
41/46
7/12/12 .
Handover (2/2)
. 4141
BS
C
MSC-A
BSC
MSC-B
BT
S1
BTS3
BTS2
BSC
MSC-C
BTS3
Connection route
1
2
34
5
6
7
8
8
9
7/31/2019 GSM Overview Study
42/46
7/12/12 .. 4242
Security
9
h i i
7/31/2019 GSM Overview Study
43/46
7/12/12 .
GSM Authentication
. 4343
Authentication Mechanism
Authentication is performed by achallenge and response mechanism
On receiving a random challengefrom the network, the mobile encrypts
the challenge using A3 algorithm andthe key Ki assigned to the mobile, andsends the response back
The Response so sent is passedthrough an algorithm A8 by both
mobile and network to derive Kc, whichis used for encryption
7/31/2019 GSM Overview Study
44/46
7/12/12 .
References
4444
q
3GPP TS 23.002 version 3.6.0 Release 1999q GSM Networks - Protocols, Terminology andImplementation.pdf
7/31/2019 GSM Overview Study
45/46
7/12/12 .
Abbreviations (1/2)
. 4545
AUC Authentication CenterBSC Base Station Controller
BSS Base Station SubsystemBTS Base Transceiver System (Antenna System + Radio Base Station)EIR Equipment Identification Register (for IMEI verification)IMEI International Mobile Equipment IdentityGMSC Gateway MSCHLR Home Location RegisterISDN Integrated Services Digital Network
IWF Interworking FunctionILR Interworking Location Register (roaming between AMPS and GSMsystem)IWMSC Interworking MSCMS Mobile StationMSC Mobile Switching CenterNSS Network Switching SubsystemOSS Operation and Support SystemPDN Public Data NetworkPLMN Public Land Mobile NetworkPSTN Public Switched Telephone NetworkSMS Short Message ServiceSABME Set Asynchronous Balance Mode Extended
VLR Visitor Location Register
7/31/2019 GSM Overview Study
46/46
Abbreviations (2/2)
AGCH Access Grant Channel
BCCH Broadcast Common Control ChannelCBCH Cell Broadcast ChannelFACCH Fast Associated Control ChannelFCCH Frequency Correction ChannelPCH Paging ChannelRACH Random Access ChannelSDCCH Standalone Dedicated Control Channel
SACCH Slow Associated Control ChannelSCHSynchronization Channel